lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260126032438.63303-1-fushuai.wang@linux.dev>
Date: Mon, 26 Jan 2026 11:24:38 +0800
From: Fushuai Wang <fushuai.wang@...ux.dev>
To: jgg@...pe.ca,
	kevin.tian@...el.com,
	joro@...tes.org,
	will@...nel.org,
	robin.murphy@....com,
	nicolinc@...dia.com
Cc: iommu@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	wangfushuai@...du.com,
	syzbot+a0c841e02f328005bbcc@...kaller.appspotmail.com
Subject: [PATCH] iommufd: Initialize batch->kind field in pfn_batch

From: Fushuai Wang <wangfushuai@...du.com>

The commit 3114c674401e ("iommufd: Allow MMIO pages in a batch")
added a new 'kind' field to struct pfn_batch but failed to initialize
it.

This leads to KMSAN detecting uninitialized-value usage when
batch->kind is first read in batch_add_pfn_num():
	iopt_pages_unfill_xarray+0x86/0x1660
	iopt_area_remove_access+0x508/0x650

Initialize batch->kind to BATCH_CPU_MEMORY in batch_clear{_array}.

Fixes: 3114c674401e ("iommufd: Allow MMIO pages in a batch")
Reported-by: syzbot+a0c841e02f328005bbcc@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/6975b1f4.a00a0220.33ccc7.001f.GAE@google.com/T/
Signed-off-by: Fushuai Wang <wangfushuai@...du.com>
---
 drivers/iommu/iommufd/pages.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iommu/iommufd/pages.c b/drivers/iommu/iommufd/pages.c
index dbe51ecb9a20..064f2cf32cc1 100644
--- a/drivers/iommu/iommufd/pages.c
+++ b/drivers/iommu/iommufd/pages.c
@@ -289,6 +289,7 @@ static void batch_clear(struct pfn_batch *batch)
 	batch->end = 0;
 	batch->pfns[0] = 0;
 	batch->npfns[0] = 0;
+	batch->kind = BATCH_CPU_MEMORY;
 }
 
 /*
@@ -309,6 +310,7 @@ static void batch_clear_carry(struct pfn_batch *batch, unsigned int keep_pfns)
 			 (batch->npfns[batch->end - 1] - keep_pfns);
 	batch->npfns[0] = keep_pfns;
 	batch->end = 1;
+	batch->kind = BATCH_CPU_MEMORY;
 }
 
 static void batch_skip_carry(struct pfn_batch *batch, unsigned int skip_pfns)
-- 
2.36.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ